mirror of
https://github.com/ultravioletrs/cocos.git
synced 2026-06-23 04:10:25 +00:00
Sammy Kerata Oina
8eb1fac9ad
* Refactor and update dependencies in the project - Updated go.sum to replace `github.com/absmach/magistrala` with `github.com/absmach/supermq` across various modules. - Removed VSock configuration from environment variables and QEMU arguments. - Updated QEMU configuration and related tests to remove references to guest CID and VSock. - Added new HTTP transport layer for API endpoints in the manager. - Introduced Prometheus monitoring configuration with alert rules and Alertmanager setup. - Updated service and VM interfaces to remove unused methods and references. - Refactored tests to align with the new structure and dependencies. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add MaxVMs configuration and enforce limit on VM creation Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add comprehensive tests for HTTP transport handlers and endpoints Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add test case for exceeding maximum number of VMs in TestRun Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Improve error handling in TestHandlerWithCustomRouter to ensure response writing is checked Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Update dependencies to latest versions - Upgrade cel.dev/expr from v0.23.0 to v0.24.0 - Upgrade github.com/absmach/supermq from v0.16.0 to v0.17.0 - Upgrade github.com/cenkalti/backoff from v4.3.0 to v5.0.2 - Upgrade github.com/cncf/xds/go to v0.0.0-20250501225837-2ac532fd4443 - Upgrade github.com/go-chi/chi/v5 from v5.2.1 to v5.2.2 - Upgrade github.com/go-jose/go-jose/v3 from v3.0.3 to v3.0.4 - Upgrade github.com/gofrs/uuid/v5 from v5.3.0 to v5.3.2 - Upgrade github.com/prometheus/client_golang from v1.22.0 to v1.23.0 - Upgrade github.com/prometheus/client_model from v0.6.1 to v0.6.2 - Upgrade github.com/prometheus/common from v0.62.0 to v0.65.0 - Upgrade github.com/prometheus/procfs from v0.15.1 to v0.16.1 - Upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from v0.60.0 to v0.62.0 - Upgrade go.opentelemetry.io/otel/exporters/otlp/otlptrace from v1.36.0 to v1.37.0 - Upgrade golang.org/x/crypto from v0.39.0 to v0.40.0 - Upgrade golang.org/x/sys from v0.33.0 to v0.34.0 - Upgrade golang.org/x/text from v0.26.0 to v0.27.0 - Upgrade golang.org/x/time from v0.11.0 to v0.12.0 - Upgrade google.golang.org/grpc from v1.73.0 to v1.74.2 Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com>
134 lines
3.4 KiB
Go
134 lines
3.4 KiB
Go
// Copyright (c) Ultraviolet
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package grpc
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/hex"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/absmach/supermq/pkg/errors"
|
|
"github.com/ultravioletrs/cocos/pkg/atls"
|
|
"github.com/ultravioletrs/cocos/pkg/attestation"
|
|
"google.golang.org/grpc/credentials"
|
|
)
|
|
|
|
func setupATLS(cfg AgentClientConfig) (credentials.TransportCredentials, security, error) {
|
|
security := withaTLS
|
|
|
|
info, err := os.Stat(cfg.AttestationPolicy)
|
|
if err != nil {
|
|
return nil, withoutTLS, errors.Wrap(fmt.Errorf("failed to stat attestation policy file"), err)
|
|
}
|
|
|
|
if !info.Mode().IsRegular() {
|
|
return nil, withoutTLS, fmt.Errorf("attestation policy file is not a regular file: %s", cfg.AttestationPolicy)
|
|
}
|
|
|
|
attestation.AttestationPolicyPath = cfg.AttestationPolicy
|
|
|
|
var rootCAs *x509.CertPool = nil
|
|
|
|
if len(cfg.ServerCAFile) > 0 {
|
|
// Read the certificate file
|
|
certPEM, err := os.ReadFile(cfg.ServerCAFile)
|
|
if err != nil {
|
|
return nil, withoutTLS, errors.Wrap(fmt.Errorf("failed to read certificate file"), err)
|
|
}
|
|
|
|
// Decode the PEM block
|
|
block, _ := pem.Decode(certPEM)
|
|
if block == nil {
|
|
return nil, withoutTLS, fmt.Errorf("failed to decode PEM block")
|
|
}
|
|
|
|
// Parse the certificate
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
if err != nil {
|
|
return nil, withoutTLS, errors.Wrap(fmt.Errorf("failed to parse certificate"), err)
|
|
}
|
|
|
|
rootCAs = x509.NewCertPool()
|
|
rootCAs.AddCert(cert)
|
|
|
|
security = withmaTLS
|
|
}
|
|
|
|
nonce := make([]byte, 64)
|
|
if _, err := rand.Read(nonce); err != nil {
|
|
return nil, withoutTLS, errors.Wrap(fmt.Errorf("failed to generate nonce"), err)
|
|
}
|
|
|
|
encoded := hex.EncodeToString(nonce)
|
|
sni := fmt.Sprintf("%s.nonce", encoded)
|
|
|
|
tlsConfig := &tls.Config{
|
|
InsecureSkipVerify: true,
|
|
RootCAs: rootCAs,
|
|
ServerName: sni,
|
|
VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
|
return verifyPeerCertificateATLS(rawCerts, verifiedChains, nonce, rootCAs)
|
|
},
|
|
}
|
|
|
|
if cfg.ClientCert != "" || cfg.ClientKey != "" {
|
|
certificate, err := tls.LoadX509KeyPair(cfg.ClientCert, cfg.ClientKey)
|
|
if err != nil {
|
|
return nil, withoutTLS, errors.Wrap(errFailedToLoadClientCertKey, err)
|
|
}
|
|
tlsConfig.Certificates = []tls.Certificate{certificate}
|
|
}
|
|
|
|
return credentials.NewTLS(tlsConfig), security, nil
|
|
}
|
|
|
|
func verifyPeerCertificateATLS(rawCerts [][]byte, verifiedChains [][]*x509.Certificate, nonce []byte, rootCAs *x509.CertPool) error {
|
|
cert, err := x509.ParseCertificate(rawCerts[0])
|
|
if err != nil {
|
|
return errors.Wrap(errCertificateParse, err)
|
|
}
|
|
|
|
err = checkIfCertificateSigned(cert, rootCAs)
|
|
if err != nil {
|
|
return errors.Wrap(errAttVerification, err)
|
|
}
|
|
|
|
for _, ext := range cert.Extensions {
|
|
pType, err := atls.GetPlatformTypeFromOID(ext.Id)
|
|
if err == nil {
|
|
pubKeyDER, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to marshal public key to DER format: %w", err)
|
|
}
|
|
|
|
return atls.VerifyCertificateExtension(ext.Value, pubKeyDER, nonce, pType)
|
|
}
|
|
}
|
|
|
|
return fmt.Errorf("attestation extension not found in certificate")
|
|
}
|
|
|
|
func checkIfCertificateSigned(cert *x509.Certificate, rootCAs *x509.CertPool) error {
|
|
if rootCAs == nil {
|
|
rootCAs = x509.NewCertPool()
|
|
rootCAs.AddCert(cert)
|
|
}
|
|
|
|
opts := x509.VerifyOptions{
|
|
Roots: rootCAs,
|
|
CurrentTime: time.Now(),
|
|
}
|
|
|
|
if _, err := cert.Verify(opts); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|